- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
May 06, 2006 | Comments: (0)
Comments to my Monoculture column
People write in about my Monoculture article http://www.infoworld.com/article/06/05/05/78046_19OPsecadvise_1.html
----------------
Computing monoculture is a problem. When worms hit highly networked countries like South Korea that have 98% Windows running on all their computer systems, it brought the country's infrastructure down. Not just business and home computers, it also afflicted ATMs and cashier counters.
Our engineering campus with 4790 computers of 61% Windows, 23% Mac OSX, 8.7% Linux, 7% Unix (AIX, HP-UX, Irix, Solaris, BSDs, misc QNX) fared much better, while the Koreans were hurting. Sure our networks where slowed down somewhat, but most of us could get our work done.
Except for the poor system administrators who had to run around like decapitated chickens plugging and reloading Windows computers.
Departments with less Windows computers fared much better in the
2002-2004 Windows worm era.
If ones dependence on a single OS is so great, one massively destructive worm could collapse the infrastructure. Ask the Irish about the potato famine, or why one advises farmers not to grow a single crop in an area. Monoculture being harmful is common sense, your column only talks about having to patch multiple OSes as the reason why it’s difficult to maintain a secure environment. Which is a matter of manpower, not reducing exposure to vulnerability. Would you want your neighborhood nuclear power plant, Delta rockets, Trident missiles, GPS satellites, x-ray/CAT/MRI machines to all run on Windows? I sure as hell wouldn't, even if it was on OpenBSD. So me being against computing monoculture has nothing to do with being anti- Microsoft.
It’s about being against dependence on a single OS and trusting it to withstand the worst worm/virus spreading throughout the world.
Dan Geer was fired prematurely, his warnings were right on. Network worms that can choke a network switch is yet another reason not to rely on VoIP for businesses, but I digress. Here is a question, should we rely on a single source or single vendor to provide us with protection against all the pathogens in the world. If a single company in the world provided 95% of all the known vaccines for humans, wouldn't you be worried that there is a chance this company would not be able to protect you against the latest H5N1 or SARS outbreak? The government advisory boards are smart enough to realize such a dependence on a single contractor would be folly. It’s a shame the government and you don't realize the same is true for operating systems. Well, I should say not everyone in the government. Richard Clarke talked about this problem on the PBS show Cyberwar. I recommend you watch it sometime.
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/
Personally, I would feel better with 70% / 25% / 5% ratio of three major OSes globally. I'm not for supporting five different Unixes and 20 Linux distros either. Just less Windows, more Mac OSX or one Linux vendor, then to a lesser degree some other different OS to work on the servers.
________________
I'll agree with most of your items except the piece about MS-Office
and PDF. There's any number of save-to-PDF add-ons readily available
for Office, and ODF is being pushed as a replacement for DOC/XLS/PPT,
not for PDF format. The recent pushes by Massachusetts and the EU to
standardize on ODF for document storage confirm this.
By the way, OpenOffice saves to PDF and ODF natively, and is free.
_______________________
Okay, let me state my biases up front: I'm a Mac guy in a company that's roughly 2/3 Macs and 1/3 Windows, with all critical servers running on Xserves. I think Mac OS X is the best operating system around and believe that while Windows has made XP a mostly-tolerable operating system, it's still mediocre at best.
That said, I think that avoiding a monoculture is an important strategic goal and any long-term projects should bear that goal in mind. It's not necessary to have hard quota numbers (though, something like "10% of our desktops running non-Windows OSes by the end of FY '07" might be a very achievable milestone), but decisions should be evaluated in part on whether they perpetuate vendor lock-in.
For instance: If you're looking at an enterprise application with a Web front end, somebody should be asking the question, "How does this work with Firefox? With Safari? Does it depend on ActiveX?" If you're looking at a new hire, even if you're currently a Windows shop, maybe that DBA with SQL Server and MySQL experience might be a better choice than the guy with more MS SQL experience but nothing outside that specialty. If nothing else, a staff with diverse backgrounds will bring a fresher perspective to your enterprise than a group with cookie-cutter resumes.
As you also point out, application diversity is its own advantage, and also can be simple to accomplish. What percentage of your users have Firefox and IE both installed on their systems? Some will use one, some will use another, and at least part of your user base will be immune to whichever virus comes along.
There's a sweet spot between utter anarchy and regimented lockstep where a diverse enterprise can be more secure against zero-day vulnerabilities without losing the ability to manage systems. Hitting that sweet spot should be in every company's long-term objectives.
___________________
In your monoculture column - very convincing I might add so I'll not
be arguing that any more - you say you can't make PDFs for free.
Not true at all. OS X generates PDFs from every application that can
print - for free. And you can find Windows (and no doubt Linux)
applications that will do the same for free as well.
So you want to get into publishing seriously? Then you have to pay for InDesign or Acrobat Pro. So yes, if you want to do peer reviewing of documents with commenting sans Word, or generate print-quality PDFs with transparency and layers that you can modify without the original application when the document is at the printshop or service bureau, then you have to pay. Or create documents that people can fill in information in fields (like IRS 1040 forms, etc.) you need Acrobat pro.
As for OpenDocument replacing PDFs, what about this from Wikipedia?
There are already applications that currently read/write OpenDocument
that export Tagged PDF files (in support of PDF accessibility); this
suggests that much or all of the necessary data for accessibility is
already included in the OpenDocument format.
Why would they be concerned with PDF compatibility if it replaces it?
Besides, the whole publishing industry is moving to a PDF workflow.
PDF/X and other implementations of Postscript 3 are making PDFs the
dominant standard through which most publishing applications will
write to file formats that printers and service bureaus use. EPS is the past.
And so are proprietary Quark, InDesign and other formats. PDF is the
future of printing.
For the average business communication, or presentation, I can see
OpenDocument having a shot. But with the dominance of Microsoft
Office, and the brainwashed masses of MCSE graduates who make software purchasing decisions, is there really any hope of that happening?
Posted by Roger Grimes on May 6, 2006 12:51 AM
RATE THIS ARTICLE:
-
- COMMENTS
